Don’t Believe in Killware. It’s Not Real.

Intrusion Team
Oct 29, 2021

Words are weapons, language is a war. Cyber is no different.

We hate politics, but let’s be honest: one side has become experts at twisting the meaning and definition of words and then flinging it back to make the other side look worse than themselves. Speed is everything and it seems they’re always at least one step ahead. As our own great actor from Texas, Matthew McConaughey indicated, they have created the illiberal liberal. I guess liberal arts college pays off if you’re into politics. We are not. But we are into cyber and cyberdefense and IT security. And as an industry, we are no better.

In my time with the US Air Force and as a defense contractor in the cyber domain, I have worked on things like implementing a F2T2EA (find, fix, track, target, engage) process into a cyber defense mission framework. That was taking a battlefield airborne ISR approach to cyber defense. I helped with language on Joint and Service doctrine related to Persistent Engagement, Partnerships, Cyber ISR, and such. I fought over terms like recon versus surveillance and strike versus interdict. It seemed these eristic exercises never ended because everyone needs a bullet statement on their annual evaluation. That was just the DoD.

Now let’s consider the IT security industry and IT security journalism. Just last week two things happened in our favorite space: the Twittersphere! One was a survey by someone I look to as one of the oracles of cyber defense, and the other was a journalist who created what you could call a neologism: Killware. If you don’t know it by now, the best part of Twitter is never the original post, but the shenanigans…uh, I mean comments, that come afterward.

Our first case was a survey where participants could select three options for the definition of XDR (extended detection & response according to Trend Micro). I lost count of the responses but somewhere in all those shenanigan responses, my favorite from Hogfly was: “A farce. Revisionist history – An attempt to recast the failing of SIEM without recognition it’s just more of the same and that it’s what SIEM was always intended to be.” Seriously though, there were some great opinions from INFOSEC and IT Security experts, but, what is it? It’s most likely just an improved version of things we’ve been using all along. Does it warrant its own name? Does it really differentiate from SIEM, EDR, NDR, NPR, ABC, NBC? How does an executive controlling funding know what he or she is getting for the money?

Can we just stop?
Then another rhetorically tragic, truly unnerving, complete murder of all things holy in IT security journalism happened: a new term – Killware. It is a software code usually in the form of malware specifically designed and programmed to take human life.

The good news? The INFOSEC community quickly revolted, and I couldn’t even get a comment in. The steady stream of reactions far better than I could respond with dominated the community. And just when I thought the world nearly ended, I realized I was still safe, in a community of thoughtful, level-headed analysts who recognized things as being what they are. Killware is not and will not ever be a thing, and this is why: Code does not keep humans alive or cause them to live. Code, like medicine, can only affect the quality of life for better or worse.

Perhaps code is used to control the drip flow of medicine to a patient as a matter of efficiency and automation, freeing up valuable nursing time to tend to other patients. Bad code could disrupt this device, but in most cases, the attacker would only know he/she is noodling around on some operating system. They most likely wouldn’t know that it is actively attached to a patient, only that is on and is responding to their actions. The hacker hacks the device, but I would wager 99% of the time, it’s only to hack the device. If they knew there was a life attached to it, they would most likely back out. Even the hackers responsible for the Colonial Pipeline acknowledge that had they known what they were tinkering with, they would have chosen a different path.

In almost every instance, and coming from a military background, the price of human life was and is always an effect that is reserved for the worst of times but is only an effect. The true attack is to disable, disrupt or destroy a capability. The goal is rarely to impose the cost of human life. As a matter of fact, we do everything possible to avoid it. Hackers and cybercriminals are motivated by money. Period. There may be a few more devious, but most just want money and reward. No one wants to go to prison for taking a life, much less a life they had no idea was connected to the tech they were hacking.

So always keep this in mind. There is no killware. There are many wares intended to do bad things…to other technologies. The fact there might be a human or humans attached to it is an unintended consequence, an unintended effect. We used to talk about this as 2nd and 3rd order and tertiary effects. The good news is most of us INFOSEC experts jumped on this right away and hopefully the creator of the word has been properly shamed into never using said word again. The bad news is that it’s out there, and some security companies, using the same journalistic code of clicks equal money, are continuing to use it as recently as yesterday.

Please. Stop.

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.